2.5 TECHNICAL NOTE FTP



Similar documents
FTP protocol (File Transfer Protocol)

File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Fall 2007, TAIWAN

Administrasi dan Manajemen Jaringan 2. File Transfer Protocol (FTP)

Windows Based FTP Server with Encryption and. other Advanced Features.

$ftp = Net::FTP->new("some.host.name", Debug => 0) or die "Cannot connect to some.host.name: $@";

Week Date Teaching Attended 2 Jan 2013 Lab 1: Linux Services/Toolkit Dev t

Avid Technology, Inc. inews NRCS. inews FTP Server Protocol Specification. Version January 2006

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi

File Transfer: FTP and TFTP

FTP e TFTP. File transfer protocols PSA1

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Configuring Class Maps and Policy Maps

CSCE 465 Computer & Network Security

Communication Systems Network Applications - Online Services

FILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL

Лабораторная работа 1 Исследование протокола FTP

Remote Firewall Deployment

Protocolo FTP. FTP: Active Mode. FTP: Active Mode. FTP: Active Mode. FTP: the file transfer protocol. Separate control, data connections

FTP Upload instructions for Wealden Group Ltd

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

You re probably already familiar with using a File Transfer Protocol (FTP)

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Configuring Security for FTP Traffic

Scaling Next-Generation Firewalls with Citrix NetScaler

GridFTP: Protocol Extensions to FTP for the Grid

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Configuring FTP Availability Monitoring With Sentry-go Quick & Plus! monitors

The information in this document is based on these software and hardware versions:

Network Device Protection Profile (NDPP) Extended Package (EP) for Intrusion Prevention Systems (IPS) 26 June 2014 Version 1.0

LinkProof And VPN Load Balancing

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Implementing Network Address Translation and Port Redirection in epipe

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

File Transfer Protocol

EXTENDED FILE SYSTEM FOR FMD AND NANO-10 PLC

Table of Contents Introduction Supporting Arguments of Sysaxftp File Transfer Commands File System Commands PGP Commands Other Using Commands

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

GridFTP: Protocol Extensions to FTP for the Grid

GlobalSCAPE DMZ Gateway, v1. User Guide

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

CSE543 - Computer and Network Security Module: Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls

VPNC Interoperability Profile

IBM Sterling Connect:Enterprise for z/os

Firewall Firewall August, 2003

1.6 HOW-TO GUIDELINES

Troubleshooting the Firewall Services Module

Next Generation Network Firewall

Passive Vulnerability Detection

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Chapter 3 LAN Configuration

DMZ Network Visibility with Wireshark June 15, 2010

Broadband Router ESG-103. User s Guide

2. Are explicit proxy connections also affected by the ARM config?

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Introduction to Computer Security Benoit Donnet Academic Year

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Network Working Group Request for Comments: 840 April Official Protocols

Technical Support Information

Using RADIUS Agent for Transparent User Identification

Lab Configuring Access Policies and DMZ Settings

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

Cisco PIX vs. Checkpoint Firewall

Intro to Firewalls. Summary

About Firewall Protection

Application Description

EXTENDED FILE SYSTEM FOR F-SERIES PLC

Configuration Example

How to configure DNAT in order to publish internal services via Internet

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Securing Networks with PIX and ASA

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

50. DFN Betriebstagung

1. Firewall Configuration

Configuration Guide BES12. Version 12.2

A S B

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Network setup and troubleshooting

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

CSC574 - Computer and Network Security Module: Firewalls

ERserver. iseries FTP

Firewalls. Chapter 3

Load Balancing 101: Firewall Sandwiches

ShareIt FTP User Guide. Includes setup, configuration and administrative information.

REMOTE FILE TRANSFER PROTOCOL BY USING MULTITHREDING

AS/400e. TCP/IP routing and workload balancing

Internet Security Firewalls

UIP1868P User Interface Guide

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

INTRODUCTION TO FIREWALL SECURITY

ExamPDF. Higher Quality,Better service!

Chapter 3 Security and Firewall Protection

Configuration Guide BES12. Version 12.1

An Overview of the Bro Intrusion Detection System

Transcription:

Version 2.5 TECHNICAL NOTE FTP Protocol Agent Overview Stonesoft Corp. Itälahdenkatu 22A, FIN-00210 Helsinki Finland Tel. +358 (9) 4767 11 Fax. +358 (9) 4767 1234 email: info@stonesoft.com Copyright 2002 Stonesoft Corp. All rights reserved. All trademarks or registered trademarks are property of their respective owners.

Protocol Overview File Transfer Protocol (FTP) is a well-known protocol, defined by RFC 959. There are, however, some extensions to the protocol. Please see section Related Standards below for more information about the extensions. FTP is platform independent. Communication Model FTP uses one control connection, to standard port 21. For transmitting data, FTP uses data connections. The port and IP address for the data connection are negotiated within the control connection. There are two modes for the data connection: active and passive. The active connection is taken from server to client, and the passive from client to server. Active Connection The client sends a PORT command within the control connection, telling where the server should open the data connection to (destination IP and port). According to RFC 959, the server should use port 20 as the source port. In fact, the source port is defined to be one below the port listening to the control connections. However, there are server implementations with a non-standard source port. Passive Connection The client sends a PASV command within the control connection, asking where server is listening to data connections. The server replies with an IP address and port. There are no specifications about source port for the client to use. Related Standards Based on RFC 959. Extended commands: MDTM, TVFS, MLST, and MLSD specified in Internet draft at http:// www.ietf.org/internet-drafts/ Extended commands: OPTS, LANG, and FEAT specified in RFC 2640 and RFC 2389. TECHNICAL NOTE 2

Protocol Agent Description The main purpose of the FTP PA is to open the related data connection by PORT command or PASV reply. The PA transforms the IP addresses of the data connection in a same way that on the parent (control) connection. Commands carrying IP and port data are altered as well. This ensures that the FTP connections are correctly routed. The FTP agent is fully transparent to the user. Validity of the Protocol The FTP agent also inspects protocol validity. There are two selectable levels of inspection: strict and loose; loose being the default. FTP uses TCP/IP protocol, and sending any other protocol to FTP PA is a fatal error and is treated as such: the connection is terminated and the error logged. General Requirements The most critical requirement is that a command should terminate with <CR><LF> (i.e., carriage return, linefeed). This requirement is derived from the fact, that the FTP control stream must comply with the telnet protocol. Additionally, the address data containing the PORT command or the PASV response must be contained in one packet. There is also a requirement that the requested data connection port is from the range 1024-65535. Moreover, there cannot be any third party IP address involved in the exchange of data. As mentioned earlier, there are two basic cases of FTP data connections: active and passive. The FTP PA allows a data connection immediately when it sees a valid PORT command or a successful reply to a PASV command. TECHNICAL NOTE 3

Loose Mode In loose mode, the Protocol Agent tries only to identify information for allowing a data connection. For that, command - reply pairs of the protocol must match. For example, opening passive command requires identifying PASV -command and according reply. In loose mode, the recognized passive reply has to be in form: 227<SPACE>*<x,x,x,x,y,y>*<LF>, where * is a string, which does not contain neither <CR> or <LF> nor a digit number. Related connection is allowed to establish immediately after address data is found. Strict Mode Strict mode tries to enforce protocol integrity. The basic idea is that all command - response pairs are understood and checked that they comply with RFC 959. Connections containing commands that do not comply with the RFC are dropped. This means only partial understanding and checking. A more precise checking would create unnecessary overhead. The following lists the recognized passive reply forms: 227 Entering Passive Mode (<x,x,x,x,y,y,>*<lf> 227 Entering Passive Mode(<x,x,x,x,y,y,>*>LF> 227 Passive Mode Entered <x,x,x,x,y,y>*<lf> 227 Passive Mode (<x,x,x,y,y,>*<lf> * denotes a string, which does not contain <CR> neither <LF> nor digit number. Related connection is opened immediately after address data is found. TECHNICAL NOTE 4

The following lists violations detected in strict mode: A client sends a command that is not recognized by FTP PA A new command is sent before receiving the reply of the previous command A reply must contain at least 3+1 characters, i.e. reply code + one termination character. All these characters must be in one packet A reply must always contain a valid reply code that must be from 100 to 599 A spontaneous reply, i.e. a reply with no command Command from Client Only known commands are accepted. See the command list in section Supported FTP Commands on page 13. Reply from Server The replies are checked for invalid form. There are several rules: Reply must contain at least four characters Reply code must be from 100 to 599 Reply must match a command. Reply must be as expected. Most responses are not checked beyond the reply code validity. CIS Redirection The FTP PA is capable of redirecting the FTP connections. This feature is used to redirect the control and data connections to go through a Content Inspection Server (CIS), which will act as FTP proxy. First, the control connection is directed to the CIS instead of the original destination. Then, the original destination address is appended to the USER command. So, the USER command is changed into form: USER username@origip. The PA takes care about NAT, so redirection is totally transparent to the client. After the content screening, the CIS forwards the traffic back to StoneGate, if deemed acceptable. Another FTP Protocol Agent then simply allows the traffic to TECHNICAL NOTE 5

pass to the FTP server. When the data connection is opened, it will be handled in a similar manner. Redirection is not a feature specified by RFC. Compatibility with all content inspection servers is not guaranteed. Redirection of outbound FTP traffic The Figure 1.1 illustrates how an outbound FTP connection is redirected to the CIS. The FTP client and the CIS have to be in separate networks. In the example, the client is located on the internal network and the server on the Internet. FIGURE 1.1 Outbound FTP redirection to CIS Internal FTP client SG Internet FTP server PA #1 PA #2 CIS TECHNICAL NOTE 6

1. The client initiates an FTP control connection to the server public IP address, port 21. StoneGate matches the control connection against its rule base, and in case the connection is allowed, proceeds with it. 2. StoneGate activates automatically the Protocol Agent associated with the service (FTP). 3. The FTP Protocol Agent (PA #1 in the figure) redirects the control connection to a specified content inspection server (CIS) to have the validity of the contents checked. The CIS is typically located on a separate internal network. The PA #1 performs NAT on the packets belonging to the connection to change the source and destination addresses. The destination IP is changed from the address of the FTP server to the address of the CIS, and the source from the client address to another address, as specified in the Protocol Agent properties. The source NAT address can be any address that will be routed back through StoneGate. In addition, the original destination IP (FTP server s public IP) is appended to the USER command in the packet (i.e., it is of the form USER username@origip ). 4. CIS receives the packets and examines the validity of their contents. 5. CIS sends the validated packets back to the source address specified in the Protocol Agent properties. 6. In case the connections from the CIS are routed back through StoneGate, the FTP Protocol Agent (PA #2) in StoneGate handles the control connection from there on. The rule allowing those connections should have an FTP PA defined, but without the redirection parameter. It sees that the connection comes from the CIS and it allows it to pass to its final destination. 7. Whether and when the client gets a reply from the server, the data connection can then be established according to the mode selected (active or passive). It is handled in a similar manner. Redirection of inbound FTP traffic The Figure 1.2 illustrates the redirection of the FTP traffic from the internal networks point of view. The FTP client and the CIS have to be in separate networks. In the example, the server is located on the internal network (DMZ) and the client on the Internet. TECHNICAL NOTE 7

FIGURE 1.2 Inbound FTP redirection to CIS Public FTP server on DMZ SG Client on the Internet PA #2 PA #1 CIS 1. The client initiates an FTP control connection to the server s public IP address, port 21. StoneGate matches the control connection against it rule base, and in case the connection is allowed, proceeds with it. 2. StoneGate activates automatically the Protocol Agent associated with the service (FTP). 3. The FTP Protocol Agent (PA #1 in the figure) redirects the control connection to a specified content inspection server (CIS) to have the validity of the contents checked. The CIS is typically located on a separate internal network. The PA #1 performs NAT on the packets belonging to the connection to change the source and destination addresses. The destination IP is changed from the address of the FTP server to the address of the CIS, and the source from the client address to another address, as specified in the Protocol Agent properties. The source NAT address can be any address that will be routed back through StoneGate. In addition, the original destination IP (FTP server s public IP) is appended to the USER command in the packet (i.e., it is of the form USER username@origip ). 4. CIS receives the packets and examines the validity of their contents. TECHNICAL NOTE 8

5. CIS sends the validated packets back to the source address specified in the Protocol Agent properties. 6. In case the connections from the CIS are routed back through StoneGate, the FTP Protocol Agent (PA #2) in StoneGate handles the control connection from there on. The rule allowing those connections should have an FTP PA defined, but without the redirection parameter. It sees that the connection comes from the CIS and it allows it to pass to its final destination. 7. Once the server replies to the client, the data connection can then be established according to the mode selected (active or passive). It is handled in a similar manner. Logging The purpose of logging is to report about successful events and possible errors (both protocol and internal). In the diagnostic mode of StoneGate, there are three cases where a successful event is being logged as regards FTP connections: new control connection new active mode data connection new passive mode data connection. All strict mode violations are logged only in a strict mode. Such violations are not mentioned in loose mode. Exceptions, Limitations and Assumptions Currently, it is not being checked if a user is successfully logged in before accepting commands for opening a data connection. According to the FTP protocol definition, the number of data connections is not limited, so by using a PORT command or PASV response pair it's possible to open an arbitrary number of data connections between the FTP server and client. A data connection can only be created between the hosts forming the control connection. No third party IP addresses can be involved. TECHNICAL NOTE 9

Current Protocol Agents do not support the use of ports in load balancing (setting in Cluster Properties) if a NAT is applied to the connection where the PA is attached. Enabling the port setting leads to a connection drop. Known Issues Supporting non-standard and standard server data connection ports in such a way that either port range like (1024-65536) or standard port (usually 20) would be accepted, is not possible with a single instance of the PA. You can configure several instances to be used with different connections that can be matched with rules. When defining a NAT rule, the following limitations should be taken into account. Otherwise, the FTP PA won t allow the data connection to pass the firewall and a log error will be generated. For all types of data connections the PA performs the NAT IP address exactly in the same way than the case of a control connection. Active mode data connection in case of standard FTP server (also with CIS redirection): NAT Destination Port is constrained to range 1024-65535. Passive mode data connection (also with CIS redirection): NAT Source Port is constrained to the same port value than the original destination port 1024-65535. The most typical reasons why a data connection allowance is unsuccessful are: a NAT rule matches the control connection but conflicts with the NAT limitations mentioned above a NAT rule only matches the data connection but conflicts with the NAT limitations mentioned above. This limitation only concerns versions up to 2.1. TECHNICAL NOTE 10

Security Benefits The integrity of the protocol is enforced by the FTP PA, when the strict mode is being used. Please see section Validity of the Protocol on page 3 for more information about checking, including checks made in the loose mode. Fail-over Transparency If a clustered node fails or crashes, it's possible that the PA's last state is not synchronized, and thus, the agent taking the connection over is left with an outdated state. In such case, the agent might cut the connection as an invalid one, especially when the strict mode is being used. TECHNICAL NOTE 11

Configuration Options TABLE 1.1 Allow active mode Values Description Yes; No (default) Active mode allowed TABLE 1.2 Allow passive mode Values Description Yes; No (default) Passive mode allowed TABLE 1.3 Control data inspection module Values Description Strict; Loose (default) Selection of protocol inspection level TABLE 1.4 Redirect connections to CIS Values Description A CIS server defined in Server section in Network Element Manager or none to disable redirection (default) Selection of the CIS to which the connection is redirected TABLE 1.5 Highest/lowest allowed non-standard source port number of active mode data connection from server Values Valid values: 1-65535 or 0 for both (default 0-0) Description Port range of accepted non-standard server source port in active mode. Valid range is 1-65535. Value 0 means that non-standard port is not accepted. TECHNICAL NOTE 12

Supported FTP Commands Highlighted commands are extended, and thus, unrecognized by RFC 959. For the extensions, see the links in section Related Standards on page 2. TABLE 1.6 FTP commands ABOR ACCT ALLO APPE CDUP CWD DELE FEAT HELP LANG LIST MDTM MKD MLSD MLST MODE NLST NOOP OPTS PASS PORT PASV PWD QUIT REIN REST RETR RMD RNFR RNTO SITE SMNT STAT STOR STOU STRU SYST TVFS TYPE USER TECHNICAL NOTE 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information